Paul Eggert <[email protected]> writes: > On 2025-07-20 15:57, Arsen Arsenović wrote: >> FWIW, the hassle is extraordinarily minor. > > That depends on the meaning of "minor". For me, it has been more of a hassle > than I've wanted to deal with, partly due to keys expiring, partly due to > hassles configuring the relevant tools, and partly due to my having to respond > to emails about why my correspondents think my signatures are incorrect. I am > grateful that I needn't deal with these hassles for the GNU projects I help > maintain.
Interesting. I've found PGP keys trivial to deal with. EPA handles them perfectly for emails in Emacs, and renewing keys on signing is pretty easy, even despite having some hand-rolled infrastructure set up for WKD that needs a semi-manual bump. Note that commit signing doesn't imply email signing, however. Gentoo requires all commits to be signed but few Gentoo developers send signed emails, for instance. In addition, you could use SSH keys to sign, if you prefer that for some reason. People claim its easier, so maybe it is (I personally don't see the benefit when one has to now reinvent the keyring, and keep it maintained by hand). -- Arsen Arsenović
signature.asc
Description: PGP signature
